|
Splunk Information Disclosure on Account Login
|
Splunk
|
T1087
|
Hunting
|
Splunk Vulnerabilities
|
2026-05-14
|
|
Splunk Authentication Token Exposure in Debug Log
|
|
T1654
|
TTP
|
Splunk Vulnerabilities
|
2026-05-14
|
|
Splunk Path Traversal In Splunk App For Lookup File Edit
|
Splunk
|
T1083
|
Hunting
|
Splunk Vulnerabilities
|
2026-05-14
|
|
Windows Group Discovery Via Net
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1069.001
T1069.002
|
Hunting
|
Active Directory Discovery, IcedID, Cleo File Transfer Software, Graceful Wipe Out Attack, Windows Discovery Techniques, Rhysida Ransomware, Windows Post-Exploitation, SolarWinds WHD RCE Post Exploitation, Volt Typhoon, Prestige Ransomware, Microsoft WSUS CVE-2025-59287, Azorult, Medusa Ransomware
|
2026-05-13
|
|
Windows Password Policy Discovery with Net
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1201
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Administrative Shares Accessed On Multiple Hosts
|
Windows Event Log Security 5140, Windows Event Log Security 5145
|
T1135
|
TTP
|
Active Directory Privilege Escalation, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows AD Privileged Object Access Activity
|
Windows Event Log Security 4662
|
T1087.002
|
TTP
|
Active Directory Discovery, BlackSuit Ransomware
|
2026-05-13
|
|
Windows Chromium Process Launched with Logging Disabled
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1497
|
Anomaly
|
Browser Hijacking
|
2026-05-13
|
|
GetWmiObject Ds Group with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1069.002
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
System User Discovery With Whoami
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1033
|
Hunting
|
Qakbot, Active Directory Discovery, Winter Vivern, Lotus Blossom Chrysalis Backdoor, Rhysida Ransomware, LAMEHUG, CISA AA23-347A, PHP-CGI RCE Attack on Japanese Organizations
|
2026-05-13
|
|
Windows Large Number of Computer Service Tickets Requested
|
Windows Event Log Security 4769
|
T1078
T1135
|
Anomaly
|
Active Directory Privilege Escalation, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows Hosts File Access
|
Windows Event Log Security 4663
|
T1012
|
Anomaly
|
Gh0st RAT, BlankGrabber Stealer
|
2026-05-13
|
|
Domain Controller Discovery with Wmic
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1018
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Domain Account Discovery Via Get-NetComputer
|
Powershell Script Block Logging 4104
|
T1087.002
|
Anomaly
|
CISA AA23-347A
|
2026-05-13
|
|
Wmic Group Discovery
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1069.001
|
Anomaly
|
Active Directory Discovery, LAMEHUG
|
2026-05-13
|
|
Windows Chromium process Launched with Disable Popup Blocking
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1497
|
Anomaly
|
Browser Hijacking
|
2026-05-13
|
|
User Discovery With Env Vars PowerShell
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1033
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
Elevated Group Discovery with PowerView
|
Powershell Script Block Logging 4104
|
T1069.002
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
DSQuery Domain Discovery
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1482
|
TTP
|
Domain Trust Discovery, Active Directory Discovery, Compromised Windows Host
|
2026-05-13
|
|
System User Discovery With Query
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1033
|
Hunting
|
Medusa Ransomware, Active Directory Discovery
|
2026-05-13
|
|
Windows Net System Service Discovery
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1007
|
Hunting
|
Gh0st RAT, LAMEHUG
|
2026-05-13
|
|
Windows Azure PowerShell Module Installation Via PowerShell Script
|
Powershell Script Block Logging 4104
|
T1021.007
T1069.003
T1078
T1098
T1136.003
|
Anomaly
|
Azure Active Directory Persistence, Azure Active Directory Account Takeover, Azure Active Directory Privilege Escalation
|
2026-05-13
|
|
GetWmiObject DS User with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1087.002
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Sensitive Group Discovery With Net
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1069.002
|
Anomaly
|
Active Directory Discovery, Rhysida Ransomware, Volt Typhoon, IcedID, Microsoft WSUS CVE-2025-59287, BlackSuit Ransomware
|
2026-05-13
|
|
GetLocalUser with PowerShell
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1087.001
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
MacOS Network Share Discovery
|
Osquery Results
|
T1135
|
Anomaly
|
MacOS Post-Exploitation
|
2026-05-13
|
|
Windows System Network Config Discovery Display DNS
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1016
|
Anomaly
|
Medusa Ransomware, Water Gamayun, Prestige Ransomware, Windows Post-Exploitation
|
2026-05-13
|
|
Get ADDefaultDomainPasswordPolicy with Powershell Script Block
|
Powershell Script Block Logging 4104
|
T1201
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
Advanced IP or Port Scanner Execution
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1046
T1135
|
Anomaly
|
Windows Defense Evasion Tactics
|
2026-05-13
|
|
GetNetTcpconnection with PowerShell
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1049
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
Domain Group Discovery With Wmic
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1069.002
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Wmic CPU Discovery
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1082
|
Anomaly
|
LAMEHUG
|
2026-05-13
|
|
Windows Registry Entries Exported Via Reg
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1012
|
Hunting
|
CISA AA23-347A, Prestige Ransomware, Windows Post-Exploitation
|
2026-05-13
|
|
Windows Non Discord App Access Discord LevelDB
|
Windows Event Log Security 4663
|
T1012
|
Anomaly
|
Snake Keylogger, BlankGrabber Stealer, PXA Stealer, StealC Stealer
|
2026-05-13
|
|
GetWmiObject User Account with PowerShell
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1087.001
|
Hunting
|
Water Gamayun, Active Directory Discovery, Winter Vivern
|
2026-05-13
|
|
PowerShell Get LocalGroup Discovery
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1069.001
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
GetCurrent User with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1033
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Account Discovery With NetUser PreauthNotRequire
|
Powershell Script Block Logging 4104
|
T1087
|
Hunting
|
CISA AA23-347A
|
2026-05-13
|
|
Detect SharpHound File Modifications
|
Sysmon EventID 11
|
T1069.001
T1069.002
T1087.001
T1087.002
T1482
|
TTP
|
BlackSuit Ransomware, Ransomware, Windows Discovery Techniques
|
2026-05-13
|
|
Network Traffic to Active Directory Web Services Protocol
|
Sysmon EventID 3
|
T1069.001
T1069.002
T1087.001
T1087.002
T1482
|
Hunting
|
Windows Discovery Techniques
|
2026-05-13
|
|
Windows System Time Discovery W32tm Delay
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1124
|
Anomaly
|
DarkCrystal RAT
|
2026-05-13
|
|
Domain Controller Discovery with Nltest
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1018
|
TTP
|
Active Directory Discovery, Rhysida Ransomware, Medusa Ransomware, NetSupport RMM Tool Abuse, BlackSuit Ransomware, CISA AA23-347A
|
2026-05-13
|
|
Cisco NVM - Suspicious Network Connection to IP Lookup Service API
|
Cisco Network Visibility Module Flow Data
|
T1016
T1590.005
|
Anomaly
|
BlankGrabber Stealer, Cisco Network Visibility Module Analytics, Castle RAT
|
2026-05-13
|
|
Windows PsTools Recon Usage
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1018
T1046
T1082
|
Anomaly
|
Compromised Windows Host
|
2026-05-13
|
|
GetCurrent User with PowerShell
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1033
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
Powershell Get LocalGroup Discovery with Script Block Logging
|
Powershell Script Block Logging 4104
|
T1069.001
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Account Discovery for Sam Account Name
|
Powershell Script Block Logging 4104
|
T1087
|
Anomaly
|
CISA AA23-347A
|
2026-05-13
|
|
Windows Information Discovery Fsutil
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1082
|
Anomaly
|
Prestige Ransomware, Windows Post-Exploitation
|
2026-05-13
|
|
Windows Query Registry Browser List Application
|
Windows Event Log Security 4663
|
T1012
|
Anomaly
|
Salt Typhoon, SnappyBee, RedLine Stealer, China-Nexus Threat Activity
|
2026-05-13
|
|
Linux Auditd Whoami User Discovery
|
Linux Auditd Syscall
|
T1033
|
Anomaly
|
Compromised Linux Host, QuietVault, Linux Persistence Techniques, Linux Privilege Escalation, Linux Living Off The Land
|
2026-05-13
|
|
Enumerate Users Local Group Using Telegram
|
Windows Event Log Security 4798
|
T1087
|
TTP
|
Water Gamayun, XMRig, Compromised Windows Host
|
2026-05-13
|
|
AdsiSearcher Account Discovery
|
Powershell Script Block Logging 4104
|
T1087.002
|
TTP
|
Active Directory Discovery, Scattered Lapsus$ Hunters, Data Destruction, Industroyer2, CISA AA23-347A
|
2026-05-13
|
|
Network Share Discovery Via Dir Command
|
Windows Event Log Security 5140
|
T1135
|
Hunting
|
IcedID
|
2026-05-13
|
|
NLTest Domain Trust Discovery
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1482
|
TTP
|
Qakbot, Active Directory Discovery, Cleo File Transfer Software, Domain Trust Discovery, Rhysida Ransomware, Ryuk Ransomware, Storm-0501 Ransomware, IcedID, Medusa Ransomware
|
2026-05-13
|
|
Linux Auditd Kernel Module Enumeration
|
Linux Auditd Syscall
|
T1014
T1082
|
Anomaly
|
Linux Rootkit, Compromised Linux Host, XorDDos
|
2026-05-13
|
|
Network Connection Discovery With Arp
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1049
|
Hunting
|
Qakbot, Active Directory Discovery, Windows Post-Exploitation, Volt Typhoon, Prestige Ransomware, IcedID, Interlock Ransomware
|
2026-05-13
|
|
Elevated Group Discovery With Wmic
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1069.002
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Windows System User Discovery Via Quser
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1033
|
Hunting
|
Crypto Stealer, Prestige Ransomware, Windows Post-Exploitation
|
2026-05-13
|
|
Get ADUserResultantPasswordPolicy with Powershell
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1201
|
TTP
|
Active Directory Discovery, CISA AA23-347A
|
2026-05-13
|
|
Windows Credentials from Password Stores Chrome Extension Access
|
Windows Event Log Security 4663
|
T1012
|
Anomaly
|
Braodo Stealer, Meduza Stealer, Malicious Inno Setup Loader, StealC Stealer, Amadey, MoonPeak, 0bj3ctivity Stealer, DarkGate Malware, Phemedrone Stealer, BlankGrabber Stealer, CISA AA23-347A, RedLine Stealer
|
2026-05-13
|
|
Windows ConvertTo-AADIntBackdoor Execution Via PowerShell Script
|
Powershell Script Block Logging 4104
|
T1071.001
T1078
T1212
T1482
|
TTP
|
Azure Active Directory Persistence, Azure Active Directory Account Takeover, Azure Active Directory Privilege Escalation
|
2026-05-13
|
|
Ping Sleep Batch Command
|
Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1497.003
|
Anomaly
|
WhisperGate, Meduza Stealer, Warzone RAT, Void Manticore, Data Destruction, Quasar RAT, BlackByte Ransomware, Gh0st RAT
|
2026-05-13
|
|
Web Servers Executing Suspicious Processes
|
Sysmon EventID 1
|
T1082
|
TTP
|
Apache Struts Vulnerability
|
2026-05-13
|
|
Network Connection Discovery With Netstat
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1049
|
Hunting
|
Qakbot, Active Directory Discovery, Windows Post-Exploitation, Volt Typhoon, CISA AA22-277A, Prestige Ransomware, Medusa Ransomware, PlugX, CISA AA23-347A
|
2026-05-13
|
|
Get DomainPolicy with Powershell Script Block
|
Powershell Script Block Logging 4104
|
T1201
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Get-DomainTrust with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1482
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Get-AdComputer Unconstrained Delegation Discovery
|
Powershell Script Block Logging 4104
|
T1018
|
TTP
|
Medusa Ransomware, Active Directory Kerberos Attacks
|
2026-05-13
|
|
Get ADUser with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1087.002
|
Hunting
|
Active Directory Discovery, CISA AA23-347A
|
2026-05-13
|
|
Get ADDefaultDomainPasswordPolicy with Powershell
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1201
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
Linux Auditd Database File And Directory Discovery
|
Linux Auditd Execve
|
T1083
|
Anomaly
|
Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation, Linux Living Off The Land
|
2026-05-13
|
|
Windows PowerView AD Access Control List Enumeration
|
Powershell Script Block Logging 4104
|
T1069
T1078.002
|
TTP
|
Active Directory Privilege Escalation, Active Directory Discovery, Rhysida Ransomware
|
2026-05-13
|
|
Windows System User Privilege Discovery
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1033
|
Hunting
|
CISA AA23-347A
|
2026-05-13
|
|
Windows File Share Discovery With Powerview
|
Powershell Script Block Logging 4104
|
T1135
|
TTP
|
Active Directory Privilege Escalation, Active Directory Discovery
|
2026-05-13
|
|
Windows Linked Policies In ADSI Discovery
|
Powershell Script Block Logging 4104
|
T1087.002
|
Anomaly
|
Data Destruction, Active Directory Discovery, Industroyer2
|
2026-05-13
|
|
Windows Time Based Evasion
|
Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1497.003
|
TTP
|
NjRAT, BlankGrabber Stealer
|
2026-05-13
|
|
Get-ForestTrust with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1059.001
T1482
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Wmic Systeminfo Discovery
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1082
|
Anomaly
|
BlankGrabber Stealer, Lotus Blossom Chrysalis Backdoor, LAMEHUG
|
2026-05-13
|
|
Windows Chromium Process with Disabled Extensions
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1497
|
Anomaly
|
Browser Hijacking
|
2026-05-13
|
|
Windows System Discovery Using ldap Nslookup
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1033
|
Anomaly
|
Qakbot
|
2026-05-13
|
|
Get-DomainTrust with PowerShell
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1482
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Find Domain Organizational Units with GetDomainOU
|
Powershell Script Block Logging 4104
|
T1087.002
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Find Interesting ACL with FindInterestingDomainAcl
|
Powershell Script Block Logging 4104
|
T1087.002
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Ldifde Directory Object Behavior
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1069.002
T1105
|
TTP
|
Volt Typhoon
|
2026-05-13
|
|
Remote System Discovery with Adsisearcher
|
Powershell Script Block Logging 4104
|
T1018
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Remote System Discovery with Wmic
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1018
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Remote System Discovery with Dsquery
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1018
|
Anomaly
|
Active Directory Discovery, LAMEHUG
|
2026-05-13
|
|
GetWmiObject Ds Group with PowerShell
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1069.002
|
Anomaly
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Query Registry UnInstall Program List
|
Windows Event Log Security 4663
|
T1012
|
Anomaly
|
Meduza Stealer, RedLine Stealer, StealC Stealer
|
2026-05-13
|
|
Windows Registry Entries Restored Via Reg
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1012
|
Hunting
|
Prestige Ransomware, Windows Post-Exploitation
|
2026-05-13
|
|
Windows AdFind Exe
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1018
|
TTP
|
Graceful Wipe Out Attack, Domain Trust Discovery, IcedID, BlackSuit Ransomware, NOBELIUM Group
|
2026-05-13
|
|
Windows Get Local Admin with FindLocalAdminAccess
|
Powershell Script Block Logging 4104
|
T1087.002
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Network Connection Discovery Via Net
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1049
|
Hunting
|
Active Directory Discovery, Prestige Ransomware, Windows Post-Exploitation, Azorult
|
2026-05-13
|
|
Domain Group Discovery With Dsquery
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1069.002
|
Anomaly
|
Active Directory Discovery, LAMEHUG
|
2026-05-13
|
|
GetDomainController with PowerShell
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1018
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
Domain Account Discovery with Wmic
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1087.002
|
TTP
|
Active Directory Discovery, Interlock Ransomware
|
2026-05-13
|
|
Domain Group Discovery with Adsisearcher
|
Powershell Script Block Logging 4104
|
T1069.002
|
TTP
|
Active Directory Discovery, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
User Discovery With Env Vars PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1033
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
GetDomainComputer with PowerShell
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1018
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Special Privileged Logon On Multiple Hosts
|
Windows Event Log Security 4672
|
T1021.002
T1087
T1135
|
TTP
|
Active Directory Privilege Escalation, Compromised Windows Host, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows Time Based Evasion via Choice Exec
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1497.003
|
Anomaly
|
Snake Keylogger, 0bj3ctivity Stealer, VIP Keylogger
|
2026-05-13
|
|
Linux System Network Discovery
|
Sysmon for Linux EventID 1, Osquery Results
|
T1016
|
Anomaly
|
Data Destruction, VoidLink Cloud-Native Linux Malware, Network Discovery, Industroyer2
|
2026-05-13
|
|
Windows Wmic DiskDrive Discovery
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1082
|
Anomaly
|
LAMEHUG
|
2026-05-13
|
|
Windows PowerView Constrained Delegation Discovery
|
Powershell Script Block Logging 4104
|
T1018
|
TTP
|
Rhysida Ransomware, Active Directory Kerberos Attacks, CISA AA23-347A
|
2026-05-13
|
|
System Information Discovery Detection
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1082
|
TTP
|
Cleo File Transfer Software, NetSupport RMM Tool Abuse, Windows Discovery Techniques, Lotus Blossom Chrysalis Backdoor, SolarWinds WHD RCE Post Exploitation, LAMEHUG, BlankGrabber Stealer, Medusa Ransomware, Gozi Malware, BlackSuit Ransomware, Interlock Ransomware
|
2026-05-13
|
|
GetDomainGroup with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1069.002
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Windows PowerShell Invoke-RestMethod IP Information Collection
|
Powershell Script Block Logging 4104
|
T1016
T1059.001
T1082
|
Anomaly
|
Water Gamayun
|
2026-05-13
|
|
Windows Chromium Browser Launched with Small Window Size
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1497
|
TTP
|
Browser Hijacking
|
2026-05-13
|
|
Get DomainUser with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1087.002
|
TTP
|
Active Directory Discovery, CISA AA23-347A
|
2026-05-13
|
|
Linux Auditd System Network Configuration Discovery
|
Linux Auditd Syscall
|
T1016
|
Anomaly
|
Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation, Linux Living Off The Land
|
2026-05-13
|
|
GetAdGroup with PowerShell
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1069.002
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
GetNetTcpconnection with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1049
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
Linux Auditd Virtual Disk File And Directory Discovery
|
Linux Auditd Execve
|
T1083
|
Anomaly
|
Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation, Linux Living Off The Land
|
2026-05-13
|
|
Potential System Network Configuration Discovery Activity
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1016
|
Anomaly
|
Unusual Processes
|
2026-05-13
|
|
Check Elevated CMD using whoami
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1033
|
TTP
|
FIN7
|
2026-05-13
|
|
Get DomainUser with PowerShell
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1087.002
|
TTP
|
Active Directory Discovery, CISA AA23-347A
|
2026-05-13
|
|
Get ADUserResultantPasswordPolicy with Powershell Script Block
|
Powershell Script Block Logging 4104
|
T1201
|
TTP
|
Active Directory Discovery, CISA AA23-347A
|
2026-05-13
|
|
Linux Auditd File And Directory Discovery
|
Linux Auditd Execve
|
T1083
|
Anomaly
|
Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation, Linux Living Off The Land
|
2026-05-13
|
|
GetAdGroup with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1069.002
|
Hunting
|
Active Directory Discovery, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
GetDomainController with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1018
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Wmic Memory Chip Discovery
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1082
|
Anomaly
|
LAMEHUG
|
2026-05-13
|
|
Windows EventLog Recon Activity Using Log Query Utilities
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1654
|
Anomaly
|
BlankGrabber Stealer, Windows Discovery Techniques
|
2026-05-13
|
|
GetAdComputer with PowerShell
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1018
|
Hunting
|
Medusa Ransomware, Active Directory Discovery
|
2026-05-13
|
|
Windows Wmic Network Discovery
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1082
|
Anomaly
|
LAMEHUG
|
2026-05-13
|
|
Get WMIObject Group Discovery with Script Block Logging
|
Powershell Script Block Logging 4104
|
T1069.001
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Admin Permission Discovery
|
Sysmon EventID 11
|
T1069.001
|
Anomaly
|
NjRAT
|
2026-05-13
|
|
Windows Post Exploitation Risk Behavior
|
|
T1003
T1012
T1016
T1049
T1069
T1082
T1115
T1552
|
Correlation
|
Windows Post-Exploitation
|
2026-05-13
|
|
Windows Network Share Interaction Via Net
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1039
T1135
|
Hunting
|
Active Directory Privilege Escalation, Active Directory Discovery, Network Discovery
|
2026-05-13
|
|
GetLocalUser with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1059.001
T1087.001
|
Hunting
|
Malicious PowerShell, Active Directory Discovery
|
2026-05-13
|
|
Windows Root Domain linked policies Discovery
|
Powershell Script Block Logging 4104
|
T1087.002
|
Anomaly
|
Data Destruction, Active Directory Discovery, Industroyer2
|
2026-05-13
|
|
Get-ForestTrust with PowerShell
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1482
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
GetAdComputer with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1018
|
Hunting
|
CISA AA22-320A, Medusa Ransomware, Active Directory Discovery, Gozi Malware
|
2026-05-13
|
|
MacOS List Firewall Rules
|
Osquery Results
|
T1016
|
Anomaly
|
Network Discovery
|
2026-05-13
|
|
Detect AzureHound File Modifications
|
Sysmon EventID 11
|
T1069.001
T1069.002
T1087.001
T1087.002
T1482
|
TTP
|
Windows Discovery Techniques
|
2026-05-13
|
|
Windows Process Commandline Discovery
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1057
|
Hunting
|
CISA AA23-347A
|
2026-05-13
|
|
GetWmiObject Ds Computer with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1018
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Windows AD Abnormal Object Access Activity
|
Windows Event Log Security 4662
|
T1087.002
|
Anomaly
|
Active Directory Discovery, BlackSuit Ransomware
|
2026-05-13
|
|
Windows System Network Connections Discovery Netsh
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1049
|
Anomaly
|
VIP Keylogger, Windows Post-Exploitation, Prestige Ransomware, Snake Keylogger, BlankGrabber Stealer
|
2026-05-13
|
|
Get DomainPolicy with Powershell
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1201
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Get WMIObject Group Discovery
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1069.001
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Credentials from Password Stores Chrome LocalState Access
|
Windows Event Log Security 4663
|
T1012
|
Anomaly
|
Braodo Stealer, Scattered Lapsus$ Hunters, PXA Stealer, Phemedrone Stealer, SnappyBee, Meduza Stealer, StealC Stealer, NjRAT, Salt Typhoon, Malicious Inno Setup Loader, Amadey, Quasar RAT, DarkGate Malware, Snake Keylogger, RedLine Stealer, China-Nexus Threat Activity, VIP Keylogger, Warzone RAT, Earth Alux, MoonPeak, 0bj3ctivity Stealer, BlankGrabber Stealer, Lokibot
|
2026-05-13
|
|
Windows Credentials from Password Stores Chrome Login Data Access
|
Windows Event Log Security 4663
|
T1012
|
Anomaly
|
Braodo Stealer, Scattered Lapsus$ Hunters, PXA Stealer, Phemedrone Stealer, SnappyBee, Meduza Stealer, StealC Stealer, NjRAT, Salt Typhoon, Malicious Inno Setup Loader, Amadey, Quasar RAT, DarkGate Malware, Snake Keylogger, RedLine Stealer, China-Nexus Threat Activity, VIP Keylogger, Warzone RAT, Earth Alux, MoonPeak, 0bj3ctivity Stealer, BlankGrabber Stealer, Lokibot
|
2026-05-13
|
|
Domain Account Discovery with Dsquery
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1087.002
|
Anomaly
|
Active Directory Discovery, LAMEHUG
|
2026-05-13
|
|
Windows Software Discovery Via PowerShell
|
Powershell Script Block Logging 4104
|
T1012
T1059.001
T1518
|
Anomaly
|
Windows Discovery Techniques
|
2026-05-13
|
|
Windows Account Discovery for None Disable User Account
|
Powershell Script Block Logging 4104
|
T1087.001
|
Hunting
|
CISA AA23-347A
|
2026-05-13
|
|
GetDomainComputer with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1018
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Suspect Process With Authentication Traffic
|
Sysmon EventID 3
|
T1087.002
T1204.002
|
Anomaly
|
Active Directory Discovery
|
2026-05-13
|
|
Windows System Discovery Using Qwinsta
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1033
|
Hunting
|
Qakbot
|
2026-05-13
|
|
Get ADUser with PowerShell
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1087.002
|
Hunting
|
Active Directory Discovery, CISA AA23-347A
|
2026-05-13
|
|
Headless Browser Usage
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1497
T1564.003
|
Anomaly
|
Forest Blizzard, Browser Hijacking
|
2026-05-13
|
|
Network Discovery Using Route Windows App
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1016.001
|
Hunting
|
Qakbot, Active Directory Discovery, Windows Post-Exploitation, CISA AA22-277A, Prestige Ransomware
|
2026-05-13
|
|
Detect SharpHound Command-Line Arguments
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1069.001
T1069.002
T1087.001
T1087.002
T1482
|
TTP
|
BlackSuit Ransomware, Ransomware, Windows Discovery Techniques
|
2026-05-13
|
|
Windows Netspy Network Scanner Execution
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1018
T1595
|
Anomaly
|
Windows Discovery Techniques, Network Discovery
|
2026-05-13
|
|
Windows Forest Discovery with GetForestDomain
|
Powershell Script Block Logging 4104
|
T1087.002
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Chromium Browser No Security Sandbox Process
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1497
|
TTP
|
Malicious Inno Setup Loader
|
2026-05-13
|
|
Windows System Remote Discovery With Query
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1033
|
Hunting
|
Medusa Ransomware, Active Directory Discovery
|
2026-05-13
|
|
Windows Common Abused Cmd Shell Risk Behavior
|
|
T1016
T1033
T1049
T1059
T1222
T1529
|
Correlation
|
Qakbot, Windows Defense Evasion Tactics, Disabling Security Tools, Sandworm Tools, FIN7, Windows Post-Exploitation, Volt Typhoon, DarkCrystal RAT, Azorult, Microsoft WSUS CVE-2025-59287, Netsh Abuse, CISA AA23-347A
|
2026-05-13
|
|
Windows PowerView Unconstrained Delegation Discovery
|
Powershell Script Block Logging 4104
|
T1018
|
TTP
|
Rhysida Ransomware, Active Directory Kerberos Attacks, CISA AA23-347A
|
2026-05-13
|
|
GetWmiObject Ds Computer with PowerShell
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1018
|
Anomaly
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Product Key Registry Query
|
Windows Event Log Security 4663
|
T1012
|
Anomaly
|
BlankGrabber Stealer
|
2026-05-13
|
|
GetWmiObject DS User with PowerShell
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1087.002
|
Anomaly
|
Active Directory Discovery
|
2026-05-13
|
|
GetDomainGroup with PowerShell
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1069.002
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
GetWmiObject User Account with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1059.001
T1087.001
|
Hunting
|
Malicious PowerShell, Active Directory Discovery, Winter Vivern
|
2026-05-13
|
|
Windows User Discovery Via Net
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1087.001
|
Hunting
|
Medusa Ransomware, Active Directory Discovery, Sandworm Tools
|
2026-05-13
|
|
Linux Kernel Module Enumeration
|
Sysmon for Linux EventID 1
|
T1014
T1082
|
Anomaly
|
Linux Rootkit, XorDDos
|
2026-05-13
|
|
Detect AzureHound Command-Line Arguments
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1069.001
T1069.002
T1087.001
T1087.002
T1482
|
TTP
|
Compromised Windows Host, Windows Discovery Techniques
|
2026-05-13
|
|
Windows Chromium Browser with Custom User Data Directory
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1497
|
Anomaly
|
Lokibot, Malicious Inno Setup Loader, StealC Stealer
|
2026-05-13
|
|
Linux Auditd Hidden Files And Directories Creation
|
Linux Auditd Execve
|
T1083
|
Anomaly
|
Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation, Linux Living Off The Land
|
2026-05-13
|
|
Detect SharpHound Usage
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1069.001
T1069.002
T1087.001
T1087.002
T1482
|
TTP
|
Ransomware, Windows Discovery Techniques
|
2026-05-13
|
|
SchCache Change By App Connect And Create ADSI Object
|
Sysmon EventID 11
|
T1087.002
|
Anomaly
|
BlackMatter Ransomware
|
2026-05-13
|
|
Windows WinPEAS PowerShell Script Execution
|
Powershell Script Block Logging 4104
|
T1007
T1016
T1033
T1082
T1590
T1592.002
T1592.004
T1615
|
TTP
|
Windows Post-Exploitation
|
2026-05-13
|
|
Local Account Discovery With Wmic
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1087.001
|
Hunting
|
Active Directory Discovery, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Windows Credential Access From Browser Password Store
|
Windows Event Log Security 4663
|
T1012
|
Anomaly
|
Braodo Stealer, SnappyBee, Meduza Stealer, China-Nexus Threat Activity, VIP Keylogger, Scattered Lapsus$ Hunters, Salt Typhoon, Earth Alux, PXA Stealer, StealC Stealer, Malicious Inno Setup Loader, MoonPeak, 0bj3ctivity Stealer, Quasar RAT, Snake Keylogger, Scattered Spider, BlankGrabber Stealer
|
2026-05-13
|
|
Windows SOAPHound Binary Execution
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1069.001
T1069.002
T1087.001
T1087.002
T1482
|
TTP
|
Compromised Windows Host, Windows Discovery Techniques
|
2026-05-13
|
|
Detect attackers scanning for vulnerable JBoss servers
|
|
T1082
T1133
|
TTP
|
JBoss Vulnerability, SamSam Ransomware
|
2026-05-13
|
|
ESXi Bulk VM Termination
|
VMWare ESXi Syslog
|
T1499
T1529
T1673
|
TTP
|
ESXi Post Compromise, Black Basta Ransomware
|
2026-05-13
|
|
Cisco ASA - Reconnaissance Command Activity
|
Cisco ASA Logs
|
T1082
T1590.001
T1590.005
|
Anomaly
|
Suspicious Cisco Adaptive Security Appliance Activity
|
2026-05-13
|
|
Okta IDP Lifecycle Modifications
|
Okta
|
T1087.004
|
Anomaly
|
Suspicious Okta Activity
|
2026-05-13
|
|
Cisco ASA - Packet Capture Activity
|
Cisco ASA Logs
|
T1040
T1557
|
Anomaly
|
ArcaneDoor, Suspicious Cisco Adaptive Security Appliance Activity
|
2026-05-13
|
|
ESXi VM Discovery
|
VMWare ESXi Syslog
|
T1673
|
TTP
|
ESXi Post Compromise, Black Basta Ransomware, China-Nexus Threat Activity
|
2026-05-13
|
|
Okta Unauthorized Access to Application
|
Okta
|
T1087.004
|
Anomaly
|
Okta Account Takeover
|
2026-05-13
|
|
Okta Multiple Failed Requests to Access Applications
|
Okta
|
T1538
T1550.004
|
Hunting
|
Okta Account Takeover
|
2026-05-13
|
|
ESXi System Information Discovery
|
VMWare ESXi Syslog
|
T1082
|
TTP
|
ESXi Post Compromise, Black Basta Ransomware
|
2026-05-13
|
|
Kubernetes Scanner Image Pulling
|
|
T1526
|
TTP
|
Dev Sec Ops
|
2026-05-13
|
|
ASL AWS IAM Successful Group Deletion
|
ASL AWS CloudTrail
|
T1069.003
T1098
|
Hunting
|
AWS IAM Privilege Escalation
|
2026-05-13
|
|
ASL AWS IAM AccessDenied Discovery Events
|
ASL AWS CloudTrail
|
T1580
|
Anomaly
|
Suspicious Cloud User Activities
|
2026-05-13
|
|
AWS Excessive Security Scanning
|
AWS CloudTrail
|
T1526
|
TTP
|
AWS User Monitoring
|
2026-05-13
|
|
Azure AD AzureHound UserAgent Detected
|
Azure Active Directory MicrosoftGraphActivityLogs, Azure Active Directory NonInteractiveUserSignInLogs
|
T1087.004
T1526
|
TTP
|
Azure Active Directory Privilege Escalation, Compromised User Account
|
2026-05-13
|
|
Kubernetes Scanning by Unauthenticated IP Address
|
Kubernetes Audit
|
T1046
|
Anomaly
|
Kubernetes Security
|
2026-05-13
|
|
AWS IAM AccessDenied Discovery Events
|
AWS CloudTrail
|
T1580
|
Anomaly
|
Suspicious Cloud User Activities
|
2026-05-13
|
|
Amazon EKS Kubernetes cluster scan detection
|
|
T1526
|
Hunting
|
Kubernetes Scanning Activity
|
2026-05-13
|
|
AWS IAM Assume Role Policy Brute Force
|
AWS CloudTrail
|
T1110
T1580
|
TTP
|
AWS IAM Privilege Escalation
|
2026-05-13
|
|
AWS High Number Of Failed Authentications For User
|
AWS CloudTrail ConsoleLogin
|
T1201
|
Anomaly
|
Compromised User Account, AWS Identity and Access Management Account Takeover
|
2026-05-13
|
|
Kubernetes Suspicious Image Pulling
|
Kubernetes Audit
|
T1526
|
Anomaly
|
Kubernetes Security
|
2026-05-13
|
|
Azure AD Service Principal Enumeration
|
Azure Active Directory MicrosoftGraphActivityLogs
|
T1087.004
T1526
|
TTP
|
Azure Active Directory Privilege Escalation, Compromised User Account
|
2026-05-13
|
|
Kubernetes Access Scanning
|
Kubernetes Audit
|
T1046
|
Anomaly
|
Kubernetes Security
|
2026-05-13
|
|
AWS Password Policy Changes
|
AWS CloudTrail DeleteAccountPasswordPolicy, AWS CloudTrail GetAccountPasswordPolicy, AWS CloudTrail UpdateAccountPasswordPolicy
|
T1201
|
Hunting
|
Compromised User Account, AWS IAM Privilege Escalation
|
2026-05-13
|
|
AWS IAM Successful Group Deletion
|
AWS CloudTrail DeleteGroup
|
T1069.003
T1098
|
Hunting
|
AWS IAM Privilege Escalation
|
2026-05-13
|
|
Amazon EKS Kubernetes Pod scan detection
|
|
T1526
|
Hunting
|
Kubernetes Scanning Activity
|
2026-05-13
|
|
ASL AWS IAM Assume Role Policy Brute Force
|
ASL AWS CloudTrail
|
T1110
T1580
|
TTP
|
Scattered Lapsus$ Hunters, AWS IAM Privilege Escalation
|
2026-05-13
|
|
GCP Kubernetes cluster pod scan detection
|
|
T1526
|
Hunting
|
Kubernetes Scanning Activity, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
AWS Bedrock High Number List Foundation Model Failures
|
AWS CloudTrail
|
T1580
|
TTP
|
AWS Bedrock Security
|
2026-05-13
|
|
Internal Horizontal Port Scan NMAP Top 20
|
AWS CloudWatchLogs VPCflow, Cisco Secure Firewall Threat Defense Connection Event
|
T1046
|
TTP
|
Scattered Lapsus$ Hunters, China-Nexus Threat Activity, Network Discovery, Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Cisco Secure Firewall - Blocked Connection
|
Cisco Secure Firewall Threat Defense Connection Event
|
T1018
T1046
T1110
T1203
T1595.002
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Internal Horizontal Port Scan
|
AWS CloudWatchLogs VPCflow, Cisco Secure Firewall Threat Defense Connection Event
|
T1046
|
TTP
|
Scattered Lapsus$ Hunters, China-Nexus Threat Activity, Network Discovery, Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Cisco Secure Firewall - Repeated Blocked Connections
|
Cisco Secure Firewall Threat Defense Connection Event
|
T1018
T1046
T1110
T1203
T1595.002
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Internal Vulnerability Scan
|
|
T1046
T1595.002
|
TTP
|
Scattered Lapsus$ Hunters, Network Discovery
|
2026-05-13
|
|
Internal Vertical Port Scan
|
AWS CloudWatchLogs VPCflow, Cisco Secure Firewall Threat Defense Connection Event
|
T1046
|
TTP
|
Scattered Lapsus$ Hunters, China-Nexus Threat Activity, Network Discovery, Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Cisco SNMP Community String Configuration Changes
|
Cisco IOS Logs
|
T1040
T1552
T1685
|
Anomaly
|
Cisco Smart Install Remote Code Execution CVE-2018-0171
|
2026-05-13
|
